Pulse Detail — Threat Intelligence

PULSE NAME

Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing

WHITE AlienVault 2023-11-24 Modified: 2023-12-24

IOCs

MEDIUM VOLUME

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market. The threat actor behind these operations abused Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1574 T1102 T1036 T1553 T1055 T1059.001 T1176

Indicators of Compromise (5 / 24 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://complete-s.monster/upd.php	—	2023-11-24
URL	https://sito-company.com/launcher/auth	—	2023-11-24
URL	http://230927151335115.mxb.ewk48.shop/f/fvgs30927001.msi	—	2023-11-24
URL	https://fast-difficult.monster/api7.php?name=microsoft_barcode_control_16.0_download	—	2023-11-24
URL	https://ps1-local.com/obfs3ip2.bs64	—	2023-11-24

References (2)

↗ https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html ↗ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/k/attack-signals-possible-return-of-genesis-market/iocs-attack-signals-possible-return-of-genesis-market.txt